Researcher warns popular gaming plug-in puts millions of web users at risk from data thieves

In a demo posted on YouTube, the researcher shows how a flaw in the Unity Web Player could let an attacker access a Gmail account

Flaw in Unity Web Play puts users at risk

Flaw in Unity Web Play puts users at risk

A researcher is warning that a gaming plug-in installed on over 200 million PCs contains a flaw that could let attackers steal users' data from websites they're logged into, such as their Web mail and social networking accounts.

The technology in question, from Unity Technologies, is used by hundreds of thousands of developers to create online games and other interactive 3D content. The flaw, which the researcher says hasn't been patched yet, is located in the Unity Web Player, a plug-in that needs to be installed inside browsers in order to display Unity-based Web apps.

Unity Technologies, based in San Francisco, didn't immediately respond to a request for comment.

The Unity engine allows developers to create 3D content that will work across a variety of mobile, desktop and gaming platforms, including in browsers such as Firefox, Chrome, Internet Explorer, Safari and Opera. The technology is popular with online game developers and is even endorsed by Facebook, which offers a software development kit for integrating Unity-based games with Facebook features.

According to Unity Technologies, the Unity Web Player was installed on over 200 million computers as of March 2013. The company says it serves over 700,000 monthly active developers, ranging from large publishers to hobbyists, and that it "touches" 600 million gamers all over the world through games made using its engine.

This week, Finnish security researcher Jouko Pynnönen reported finding a way to bypass the cross-domain policy enforced by the plug-in to access other websites with the credentials of the active browser user.

The cross-domain policy is normally supposed to prevent a Unity-based Web application loaded from a particular domain name from accessing resources from other domains, Pynnönen said Tuesday in a blog post.

However, the researcher found a vulnerability that allows a malicious app to trick the player into allowing requests to be made to third-party websites.

He created a proof-of-concept Unity app that, when loaded by the browser plug-in, accesses the user's Gmail account if he has an active Gmail session and sends his emails back to the attacker.

The same attack could be done against users logged into Facebook or any other website as long as they have the Unity Web Player installed.

"Depending on the web browser and its version, the plugin may or may not start directly without confirmation," the researcher said.

The attack will no longer work by default in the recent versions of Chrome, because starting with Chrome version 42, released in April, the browser no longer supports plug-ins based on the aging Netscape Plugin Application Programming Interface (NPAPI). There is currently a workaround to manually re-enable NPAPI plug-ins in Chrome, but it will only work for a few more months as Google plans to completely ban NPAPI plug-ins from Chrome later this year.

The researcher claims that he tried to report the bug to Unity Technologies, once in February and once in April. However, he only heard back from the company Wednesday, a day after he disclosed the vulnerability publicly.

"According to their email, the QA team has picked up the bug reports today and an improved security response procedure is in the works," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags online safetyUnity TechnologiessecurityExploits / vulnerabilitiesprivacyFacebook

More about FacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place